Published on The O'Reilly Network (http://www.oreillynet.com/)
http://www.oreillynet.com/pub/wlg/8557
Digg Vulnerable to XSS
by Nitesh Dhanjani
Nov. 23, 2005
While trying to use the ‘search’ feature on Digg, I realized that it is vulnerable to Cross Site Scripting (XSS). The search string is echoed back without proper output encoding. Example:
http://digg.com/search?search=%3Cscript%3Ealert%28%27vulnerable%20to%20xss%27%29%3B%3C%2Fscript%3E&submit=Submit
I haven’t checked to see if the comments or new story submission modules are affected – if they are, things could get pretty messy. I have contacted the Digg team about this, lets hope they fix it soon.
Update: They fixed it this morning.
Nitesh Dhanjani
is a well known security researcher, author, and
speaker.
oreillynet.com Copyright © 2006 O'Reilly Media, Inc.